nodebestpractices/sections/security/safemoduleloading.md

Avoid module loading using a variable

One Paragraph Explainer

Avoid requiring/importing another file with a path that was given as parameter due to the concern that it could have originated from user input. This rule can be extended for accessing files in general (i.e. fs.readFile()) or other sensitive resources with dynamic variables originating from user input.

Code example

// insecure, as helperPath variable may have been modified by user input
const badWayToRequireUploadHelpers = require(helperPath);

// secure
const uploadHelpers = require('./helpers/upload');